On Sun, 10 Feb 2002, Jon August wrote:
>
> Ok, it looks like the final argument is used to set up realtionships
> between remote unix users to pg users. So wouldn't that mean that
> ultimately the user would be able to view any database anyway since
> the pg user can view any database? (aside from revoking privs at the
> table level)
>
> Is there any means of user to database access restriction?
From my 7.2 pg_hba.conf (I don't believe this was changed from 7.1):
# password: Authentication is done by matching a password supplied
# in clear by the host. If no AUTH_ARGUMENT is used, the
# password is compared with the user's entry in the
# pg_shadow table.
#
# If AUTH_ARGUMENT is specified, the username is looked up
# in that file in the $PGDATA directory. If the username
# is found but there is no password, the password is looked
# up in pg_shadow. If a password exists in the file, it is
# used instead. These secondary files allow fine-grained
# control over who can access which databases and whether
# a non-default password is required. The same file can be
# used in multiple records for easier administration.
# Password files can be maintained with the pg_passwd(1)
# utility. Remember, these passwords override pg_shadow
# passwords.
I believe it lists pg users that are allowed in to the database (and
potentially that they need a special password other than their normal).
> On Sun, 10 Feb 2002, Stephan Szabo wrote:
>
> > > local all password postgres
> > > host all xxx.xxx.xxx.xxx 255.255.255.255 password postgres
> > > local shopdb password mark
> > > host shopdb xxx.xxx.xxx.xxx 255.255.255.255 password mark
> >
> > The final argument goes to an external file in $PGDATA that lists users
> > (and optionally passwords) for the users that are allowed into the db.
>